Microsoft Fixes 12 Bugs in January Patch Tuesday, But Not IE Zero-Day

Microsoft released seven bulletins fixing 12 vulnerabilities in the first Patch Tuesday release for 2013. As expected, a fix for the zero-day vulnerability in Internet Explorer was not part of the release.

Of the seven bulletins, only two were rated "critical"; the remaining five were rated "important," Microsoft said in its January's Patch Tuesday advisory. While none of these issues are being exploited in the wild at the moment, "once the path leads smart, malicious hackers to the issue, it won't be long before exploits start," Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWatch.

Only Two Critical BulletinsOne of the critical patches was rated the "most important patch in the lineup" by Qualys CTO Wolfgang Kandek as it affects every Windows version from XP to Windows 8, RT, and Server 2012, along with all versions of Microsoft Office, and other Microsoft applications, such as Sharepoint and Groove. The flaw in the MSXML library (MS13-002) could potentially be exploited by tricking users into visiting a malicious website, or by opening a booby-trapped Office document attached to an email.

The other critical bulletin affects the Microsoft Windows Printer spooler software in Windows 7 and 2008 (MS13-001). The attacker could potentially queue malicious print job headers to exploit clients which connect, but it cannot be triggered by normal means. No one should have a print spooler accessible outside the firewall, but the flaw could be exploited by malicious insiders or as part of a privilege escalation attack, Barrett said.

While not as serious as the print spooler flaws exploited by Stuxnet, the fact that this bug could be used in a watering hole–style attack will make it "pretty popular in attacker forums," said Andrew Storms, director of security operations for nCircle. It should be patched, "pronto," he added.

Important BulletinsThe important bulletins addressed issues in .NET (MS13-004), the Windows kernel (MS13-005), the Secure Socket Layer implementation in Windows Vista (MS13-006), Open Data Protocol (MS13-007), and a cross-site scripting flaw. While the .NET bugs could have been exploited to remotely execute code, the new sandbox recently introduced into all versions of .NET decreased the "exploitability," said Paul Henry, security and forensic analyst for Lumension.

The flaw in the win32k.sys kernel module affected the AppContainer sandbox in Windows 8. While it was not a critical flaw on its own, it could be used in conjunction with other vulnerabilities to attack a Windows 8 system, Kandek said.

The two elevation of privilege issues in the Microsoft SCOM console made the login page vulnerable to a cross-site scripting attack, Microsoft said in the advisory. They are both non-persistent XSS, which means that administrators must be convinced to visit the malicious page at a specific time, Tyler Reguly, technical manager of security research and development at nCircle, told SecurityWatch.

Zero-Day Not FixedAs expected, Microsoft did not have a fix for the zero-day vulnerability currently affecting Internet Explorer 6, 7, and 8. Even though the issue is in the older versions of the Web browser, they actually represent 90 percent of the IE installed base, said Kandek. The active exploit is currently targeting IE8, so users should upgrade to the safer IE9 or IE10 if possible.

The Fix-It released last week blocks a specific attack, but Exodus Intelligence researchers found other ways to trigger the vulnerability even after applying the temporary workaround. Even so, administrators should still deploy the Fix-It, but they should also consider running Microsoft's Enhanced Mitigation Experience Toolkit, which can block attempts to trigger the zero-day flaw.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.